This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 91%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPA%3C/text%3E%3C/svg%3E)
Hi there,
I am trying to understand how to get a valid token, especially the scope or roles in the token with curl. Here is my code (in php, but simple enough to be understandable) :
$clientId = CLIENT_ID;
$clientSecret = SECRET;
$tenant_id = TENANT_ID;
$grantType = "client_credentials";
$tokenEndpoint ="https://login.microsoftonline.com/$tenant_id/oauth2/token";
$scope = "https://<b2c tenant url>/xxxxxx-5ed7-415d-af04-xxxxxxxxxx/.default";
// Build the request body
$requestBody = "client_id=$clientId&client_secret=$clientSecret&grant_type=$grantType&scope=".urlencode($scope)."";
// Set up the curl options
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $tokenEndpoint);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $requestBody);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
// Execute the request
$response = curl_exec($ch);
curl_close($ch);
// Get the access token from the response
$responseJson = json_decode($response, true);
$accessToken = $responseJson["access_token"];
print $accessToken;
When testing my token on jwt.ms, everything is fine unless the scope which is not set in the token (neither scp nor roles in the claim). As a consequence, I cannot use the token since I get a 401 error (not authorize)
This piece of code works fine in a b2b context with scopes set at the app registration.
Note here I don't want to have an interactive flow with user credentials as mentionned in the doc here : https://learn.microsoft.com/en-us/azure/active-directory-b2c/access-tokens. I just want a valid token for the app without interaction of a user giving his username and password.
Any recommendation, link to a doc or example, etc... would be great.
thank you
Do you want to use this token to call the graph API or your custom web API?
@CarlZhao-MSFT : I'd like to use this token for the custom web API
Then you just need to change the token endpoint to the following:
$tokenEndpoint ="https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy>/oauth2/v2.0/token";
See step 3 of this document.
Hope this helps.
If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.
Hi Carl, it looks like it is what I am looking after. My concern so far in the url is regarding the policy I don't know, since it is an apps registered at a partner b2c azure (with a final goal to use their webservices and api endpoints). Is there a default out-of-the-box policy that support client credentials that I could use ? (I just made a quick test without success, but I need to dig into for the why).
Maybe you can try using the "B2C_1_signupsignin1" user flow, which is a common policy and it should exist in your partner’s B2C tenant.
$tokenEndpoint ="https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/B2C_1_signupsignin1/oauth2/v2.0/token";
If this does not work, then you may need to contact your partner to find out what user flows or custom policies are currently available in their B2C tenant.
Hi CarlZhao,
Thank you for your reply. I did a test with the url you mentionned on postman and I got the following :
error 404 : The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.
even with curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
I think I need to contact them, but somehow there is a progress :)
It appears that the "B2C_1_signupsignin1" user flow does not exist in your partner's tenant, please contact them for an available user flow or custom policy.
--please don't forget to Accept as answer if the reply is helpful--
Yes, I'll won't forget to accept as answer when the full story till resolution is in (for the readers). Your recommendations makes fully sense, for sure.
Well got It !
Here is the url to get the token with claim scope (scp):
Note here that the tenant name is actually with a .org. Let's say is is tenantname.org . So my url looks like this :
https://tenantname.b2clogin.com/tenantname.org/B2C_1_signupsignin1/oauth2/v2.0/token
And when I test the token, I have the following claims :
Thank you so much!
Good to know :)